High severityNVD Advisory· Published Apr 16, 2023· Updated Feb 6, 2025

org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Cross-site Scripting

CVE-2023-29508

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-livedata-macroMaven	>= 13.10.10, < 13.10.11	13.10.11
org.xwiki.platform:xwiki-platform-livedata-macroMaven	>= 14.4, < 14.4.7	14.4.7
org.xwiki.platform:xwiki-platform-livedata-macroMaven	>= 14.9, < 14.10	14.10

Affected products

Xwiki/Xwiki Platformv5
Range: >= 13.10.10, < 13.10.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-hmm7-6ph9-8jf2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-29508ghsaADVISORY
github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20312ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000